System and method for providing a data service in an engineered system for middleware and application execution

ABSTRACT

A system and method can provide a data service in a network environment. The system can provide a data service component on a node in the network environment, wherein the network environment includes a plurality of nodes interconnected via a network fabric. Furthermore, the system can use a native packet forwarding mechanism to direct a data flow in the network fabric to said data service component on the node. Then, the system can use said data service component to process one or more data packets in the data flow in the network fabric.

CLAIM OF PRIORITY

This application claims priority on U.S. Provisional Patent ApplicationNo. 61/870,693, entitled “SYSTEM AND METHOD FOR PROVIDING NATIVE DATASERVICE IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND APPLICATIONEXECUTION” filed Aug. 27, 2013, which application is herein incorporatedby reference.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to the following patent application(s), eachof which is hereby incorporated by reference in its entirety:

U.S. patent application titled “SYSTEM AND METHOD FOR CONTROLLING A DATAFLOW IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND APPLICATION EXECUTION”,application Ser. No. ______, filed ______ (Attorney Docket No.ORACL-05476U52);

U.S. patent application titled “SYSTEM AND METHOD FOR SUPPORTING DATASERVICE ADDRESSING IN AN ENGINEERED SYSTEM FOR MIDDLEWARE ANDAPPLICATION EXECUTION”, application Ser. No. ______, filed ______(Attorney Docket No. ORACL-05476US3); and

U.S. patent application titled “SYSTEM AND METHOD FOR SUPPORTING HOSTCHANNEL ADAPTER (HCA) FILTERING IN AN ENGINEERED SYSTEM FOR MIDDLEWAREAND APPLICATION EXECUTION”, application Ser. No. ______, filed ______(Attorney Docket No. ORACL-05476US4).

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF INVENTION

The present invention is generally related to computer systems, and isparticularly related to an engineered system for middleware andapplication execution or a middleware machine environment.

BACKGROUND

The interconnection network plays a beneficial role in the nextgeneration of super computers, clusters, and data centers. For example,the InfiniBand (IB) technology has seen increased deployment as thefoundation for a cloud computing fabric. As larger cloud computingarchitectures are introduced, the performance and administrativebottlenecks associated with the traditional network and storage havebecome a significant problem.

This is the general area that embodiments of the invention are intendedto address.

SUMMARY

Described herein are systems and methods that can provide a data servicein a network environment, such as an engineered system for middlewareand application execution or a middleware machine environment. Thesystem can provide a data service component on a node in the networkenvironment. The network environment can include a plurality of nodesinterconnected via a network fabric. Furthermore, the system can use anative packet forwarding mechanism to direct a data flow in the networkfabric to said data service component on the node. Then, the system canuse said data service component to process one or more data packets inthe data flow in the network fabric. Additionally, said data servicecomponent can provide the data service, which can be a software firewall(FWL) service or a traffic routing service, transparently to both thesource and destination application workloads.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 shows an illustration of providing a data service appliance forhandling native data in a network environment, in accordance with anembodiment of the invention.

FIG. 2 shows an illustration of using an external network connection forproviding data service in a network environment, in accordance with anembodiment of the invention.

FIG. 3 shows an illustration of providing a data service for a bump onthe wire (BoW) mode in a network environment, in accordance with anembodiment of the invention.

FIG. 4 shows an illustration of providing a software firewall (FWL) in anetwork environment, in accordance with an embodiment of the invention.

FIG. 5 shows an illustration of an exemplary engineered system, inaccordance with an embodiment of the invention.

FIG. 6 illustrates an exemplary flow chart for providing a data servicefor handling native data in a network environment, in accordance with anembodiment of the invention.

FIG. 7 shows an illustration of a subnet administrator (SA) in a networkenvironment, in accordance with an embodiment of the invention.

FIG. 8 shows an illustration of supporting a control flow for providinga data service in a network environment, in accordance with anembodiment of the invention.

FIG. 9 shows an illustration of supporting a data flow for providing adata service in a network environment, in accordance with an embodimentof the invention.

FIG. 10 illustrates an exemplary flow chart for controlling the dataflow for handling native data in a network environment, in accordancewith an embodiment of the invention.

FIG. 11 shows an illustration of a data packet format using InfiniBand(IB) addressing to access a data service in a network environment, inaccordance with an embodiment of the invention.

FIG. 12 shows an illustration of handling a data packet on anintermediate node in a network environment, in accordance with anembodiment of the invention.

FIG. 13 shows an illustration of supporting connection management in anetwork environment, in accordance with an embodiment of the invention.

FIG. 14 illustrates an exemplary flow chart for supporting data serviceaddress resolution for handling native data in a network environment, inaccordance with an embodiment of the invention.

FIG. 15 shows an illustration of supporting host channel adaptor (HCA)filtering for providing data services in a virtualized environment, inaccordance with an embodiment of the invention.

FIG. 16 shows an illustration of supporting host channel adaptor (HCA)filtering for providing data services in a non-virtualized environment,in accordance with an embodiment of the invention.

FIG. 17 illustrates an exemplary flow chart for supporting HCA filteringfor providing data services in a network environment, in accordance withan embodiment of the invention.

DETAILED DESCRIPTION

Described herein are systems and methods that can provide one or moredata services in an engineered system for middleware and applicationexecution (or a middleware machine environment).

A Data Service for Handling the Native Data

In accordance with an embodiment of the invention, a data servicecomponent (such as a data service appliance and/or a data serviceserver) can provide various types of data services in a networkenvironment, e.g. an engineered system for middleware and applicationexecution (or a middleware machine environment).

FIG. 1 shows an illustration of providing a data service appliance forhandling native data in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 1, a plurality of nodes,e.g. nodes A-D 111-114, can be interconnected in a network environment100, e.g. via an INFINIBAND (IB) fabric 101.

Furthermore, a data service component 110, which resides on the node C113, can provide various data services for the data flow on the IBfabric 101. For example, the data flow between the nodes A 111 and thenode B 112 can be a native data flow. This native data flow can accessor consume the data services, which are provided by the data servicecomponent 110 on the intermediate node C 113. Thus, the native data inthe IB fabric 101 can be handled without a need to leave the IB fabric101.

In accordance with an embodiment of the invention, the data servicecomponent 110 can provide a software firewall (FWL) service, which canbe used for monitoring and inspecting all types of network traffic inthe network environment 100. Additionally, the data service component110 can be used for other purposes, such as for performing trafficrouting in the network environment.

Furthermore, multiple instances of a data service component (or multipledata service components) can be deployed in the same IB fabric 101 forproviding high availability (HA) and improving performance. As shown inFIG. 1, another data service component 120 can reside on the node D 114on the IB fabric 101. Both the data service component 110 and the dataservice component 120 can be simultaneously running on the IB fabric101.

In accordance with an embodiment of the invention, a data servicecomponent can either be dedicated to providing the data service or beconfigured to share the same physical machine with other applicationvirtual servers. As shown in FIG. 1, the node C 113, which hosts thedata service component 110, may host an application server 130. Thus,the node C 113 can be used for supporting different applicationworkloads. For example, the node C 113 can host virtual machines runningthese application workloads. On the other hand, the node D 114, whichhosts the data service component 120, may be dedicated to providing thedata services.

Moreover, the system can support different topological configurations inthe network environment 100. For example, the node C 113 can play therole as both a source node and a destination node, in addition to therole as an intermediate node for supporting communication between othernodes. Thus, a single node C 113, can support different types ofworkloads, including the source workload, the destination workload, andthe data service appliance workload.

In accordance with an embodiment of the invention, the system can deploya data service component 110 or 120 in a virtual machine (VM) as avirtual appliance (i.e. a data service appliance) in a virtualizedenvironment. Alternatively, the system can physically deploy a dataservice appliance 110 or 120 on a node as a data service server in anon-virtualized environment.

Furthermore, the traffic in the IB fabric 101 can be selectivelydirected to the data service component 110 or 120 for data processing(e.g. based on an evaluation of the resolved address of the targetendpoint). For example, the data packets can be directed to the node C113 (or the node D 114) using different routing algorithms for a nativepacket forwarding mechanism. Also, the traffic in the IB fabric 101 canbe selectively directed to a data service appliance based on theresolution of the VM.

FIG. 2 shows an illustration of using an external network connection forproviding data service in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 2, a plurality of nodes,e.g. nodes A-B 211-212, can be interconnected in a network environment200, e.g. via an INFINIBAND (IB) fabric 201.

In accordance with an embodiment of the invention, a data service server210 can be provided in an external network 202 (e.g. an externalEthernet network). In such a case, the data flow may need to leave theIB fabric 201, before being processed by the data service server 210 inthe external network 202 and returned to the IB fabric 201 afterwards.

Furthermore, the system can use different mechanisms for connecting thedata service server 210 in the external network 202 to the IB fabric201. As shown in FIG. 2, the data service server 210 may be connected tothe IB fabric 201 via an Ethernet switch 220. Alternatively, the dataservice server 210 may be connected to the IB fabric 201, via anEthernet link 230 to the node B 212 on the IB fabric 201.

FIG. 3 shows an illustration of providing a data service for a bump onthe wire (BoW) mode in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 3, a data service server311, which can provide various data services (e.g. a firewall service)in a network environment 300, can reside on an intermediate node 310.

In accordance with an embodiment of the invention, the intermediate node310 can be physically located between two communicating parties (or endpoints), e.g. the node A 301 and the node B 302. Thus, the data flowbetween the node A 301 and the node B 302 may be forced to pass throughthe data service server 311 on the intermediate node 310.

Additionally, the intermediate node 310 can include another applicationserver 312. In such a case, the system can use reverse filtering rulesfor determining which data packets in a data flow should be processed bythe data service server 311.

FIG. 4 shows an illustration of providing a software firewall (FWL) in anetwork environment, in accordance with an embodiment of the invention.As shown in FIG. 4, a plurality of nodes, e.g. nodes A-D 411-414, can beinterconnected in a network environment 400, e.g. via an INFINIBAND (IB)fabric 401.

Furthermore, multiple software FWL appliances can be deployed in the IBfabric 401 for providing high availability (HA) and improvingperformance. For example, a FWL 410 can reside on the node C 413 and aFWL 420 can reside on the node D 414.

As shown in FIG. 4, the traffic between the node A 411 and the node B412 in the IB fabric 401 can be directed to the FWL 410 for inspectionwithout leaving the IB fabric 401. The FWL 410 can decide whether toforward the data packets, which are received from the source node A 411,to the destination node B 412 or drop the data packets.

In accordance with an embodiment of the invention, the FWL 410 canmonitor and inspect various types of traffic in the IB fabric 401. Forexample, the IB traffic in the Oracle Exalogic engineered system caninclude the internet protocol over INFINIBAND (IPolB) traffic, theEthernet over INFINIBAND (EolB) traffic, the private virtualinterconnect (PVI) traffic, the sockets direct protocol (SDP) traffic,and the user-space/remote direct memory access (RDMA) traffic. Suchtraffic can be based on various transport protocols, such as theunreliable datagram (UD) transport protocol, the reliable connection(RC) transport protocol, the unreliable connection (UC) transportprotocol, the reliable datagram (RD transport protocol and the rawtransport protocol.

FIG. 5 shows an illustration of an exemplary engineered system, inaccordance with an embodiment of the invention. As shown in FIG. 5, anexemplary engineered system 500 can include a plurality of nodes, suchas nodes A-D 511-514, which are interconnected using multiple switchesA-B 501-502.

In accordance with an embodiment of the invention, the data servicecomponents, such as the firewall (FWL) appliances, can be deployed inpairs for supporting high availability (HA) and improving performance inthe engineered system 500.

As shown in FIG. 5, an application VM 541, which contains an applicationserver, can be deployed on the node A 511, and an application VM 542,which contains another application server, can be deployed on the node B512. Additionally, a FWL VM 543, which contains a FWL appliance, can bedeployed on the node C 513, and a FWL VM 544, which contains another FWLappliance, can be deployed on the node D 514.

Furthermore, each of the nodes A-D 511-514 can use one or more hostchannel adaptors (HCAs) for connecting to the network. For example, thenode A 511 uses the HCA A 521, the node B 512 uses the HCA B 522, thenode C 513 uses the HCA C 523, and the node D 514 uses the HCA D 524.

As shown in FIG. 5, each of the HCA A-D 521-524 can have two ports (e.g.a port 1 and a port 2). In order to support high availability (HA) inthe network environment 500, the system can connect the different HCAports for the nodes A-D 511-514 via different switches A-B 501-502.

In accordance with an embodiment of the invention, different HCA portson the same node can be independently assigned to the different membersin each FWL HA pair. For example, the subnet administrator (SA) in an IBsubnet can be aware of the HA pairs, when assigning the FWL destinationlocal identifiers (DLIDs).

As shown in FIG. 5, all of the ports 1 on the nodes A-D 511-514 can beconnected to the switch A 501, while all of the ports 2 on the nodes A-D511-514 can be connected to the switch B 502. Thus, when a failureoccurs on one of the switches, e.g. on the switch A501, the traffic inthe engineered system 500 (among the nodes A-D 511-514) can still betransmitted through the switch B 502 and the firewall (FWL) applianceson node D 514 can be used for inspecting the traffic. (Additionally,such a scheme can be generalized to the case of multiple HCAs per nodewithout limitation.)

FIG. 6 illustrates an exemplary flow chart for providing a data servicefor handling native data in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 6, at step 601, the systemcan provide a data service component on a node in the networkenvironment, wherein the network environment includes a plurality ofnodes interconnected via a network fabric. Then, at step 602, the systemcan use a native packet forwarding mechanism to direct a data flow inthe network fabric to said data service component on the node.Furthermore, at step 603, the system can use said data service componentto process one or more data packets in the data flow in the networkfabric.

Controlling the Data Flow

FIG. 7 shows an illustration of a subnet administrator (SA) in a networkenvironment, in accordance with an embodiment of the invention. As shownin FIG. 7, an IB fabric 700 can include a subnet administrator (SA) 701,which can provide path record resolution (PR) for supportingcommunication between various nodes in the IB fabric 700. For example, apath record, such as a pathrecord in the IB protocol, can include theaddress information and other information that relates to differentfields in the IB headers (such as the P_Key, Q_Key, SL, etc.).

Additionally, the system can provide an interface 710 for configuringthe SA 701 with different policies 720. The interface 710 can be acommand line interface (CLI) and/or an application programming interface(API).

In accordance with an embodiment of the invention, the policies 720 candefine what traffic should pass through a data service node (e.g. afirewall) before reaching the destination node, and what traffic can beforwarded directly to the destination node. Furthermore, the policiescan be implemented based on the source and destination globalidentifiers (GIDs). Also, the policies can be implemented based on aservice ID, which provides the application-level differentiation.Additionally, the policies can be implemented based on IB partitions.

For example, a use case may support a policy that requires allcommunication between a middleware machine and a cluster databasemachine must go through a firewall node.

Additionally, a uses case may support a policy that requires the use ofa specific IB partition, which is associated with a particular P_Key.For example, the specific IB partition can be used solely for thefirewall controlled communication between all application tier serversand a database. If a path record resolution request is within thecontext of the specific IB partition, the SA 701 can use this policy toindicate that all packets on that path should be routed through thefirewall.

Another use case may support a policy for the BoW deployment thatinvolves two independent subnets. The SM may not be able to discover apath between the source and destination in two independent subnets, bysimply examining the fabric topology. Using the policy, the SM can beinformed that a path between the source and the destination existsthrough a particular data service component. Also, when the BoWdeployment involves multiple IB partitions, the P_Key for each partitioncan be specified in the policy.

As shown in FIG. 7, the SA 701 can receive a PR request 711 from arequester (e.g. a source node). The SA 701 can resolve the destinationlocal address, e.g. a destination local identifier (DLID), according tothe policies 720. Then, the SA 701 can send a PR response 712, whichincludes the resolved destination local address, back to the requester.Thus, the source node can send a data packet to the destination nodebased on the resolved DLI D.

Alternatively, the SA 701 may determine that the source node shoulddirect the data packet to an intermediate node, such as a data servicenode with a data service component (e.g. a software firewall) beforeforwarding the data packet to the destination node. The SA 701 canprovide the source node with a DLID for the data service node instead ofa DLID for the destination node. Additionally, the SA 701 can determinewhich data service node should be used when multiple instances of thedata service component exist in the network environment 700.

FIG. 8 shows an illustration of supporting a control flow for providinga data service in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 8, a network environment800 can include a plurality of nodes, e.g. nodes A-D 801-804, which areinterconnected using one or more switches, e.g. a switch 810.

The switch 810 can be used to direct the data flow in the networkenvironment 800. The switch 810 can include a subnet administrator (SA)820, which can perform the path record resolution operation based ondifferent rules or policies, e.g. rules 830. The SA 820, which runs in asecure environment on a switch 810 (or on a secure node), can implementvarious logics for performing address resolution tasks.

In accordance with an embodiment of the invention, based on the SApolicies, the system can take advantage of the global routing header(GRH) in the IB packet for establishing communication through differentpaths that can be either within an IB subnet or among multiple IBsubnets. (The GRH was originally defined in the IB specification forestablishing communication among different IB subnets)

For example, the SA 820 can use a field in a path record resolutionresponse (e.g. the HopLimit field) to indicate to the host softwarestack that a GRH may be required for establishing communication througha specific path within an IB subnet.

As shown in FIG. 8, the node A 801 can host an application VM A 811 thatcontains an application server. The application VM A 811 can beassociated with a global identifier (GID) A 821 (e.g. 0xAAAA) and alocal port with a local identifier (LID) A 831 (e.g. 0xA). Furthermore,the node B 802 can host an application VM B 812 that contains anapplication server. The application VM B 812 can be associated with aGID B 822 (e.g. 0xBBBB) and a local port with a LID B 832 (e.g. 0xB).Also, the node C 803 can host an application VM C 813 that contains anapplication server. The application VM C 813 can be associated with aGID C 823 (e.g. 0xCCCC) and a local port with a LID C 833 (e.g. 0xC).

Additionally, the network environment 800 can include a data servicenode D 804, which can host a data service VM D 814. The data service VM814 can be associated with a GID D 824 (e.g. 0xDDDD) and a local portwith a local identifier D 834 (e.g. 0xD). Additionally, the data servicenode D 804 can host one or more application VMs in addition to the dataservice VM 814.

As shown in FIG. 8, within an IB fabric in the network environment 800,the data flow, which includes the transmitted data packets (as shown insolid line), can be based on the standard LID-based forwarding featureas provided by the switch 810. Additionally, the control flow, whichincludes various control information (as shown in dashed line), can bebased on the address resolution feature as provided by the SA 820.

For example, a set of exemplary rules 830 can be defined in thefollowing table.

0xAAAA -0xBBBB -> 0xD 0xCCCC -0xBBBB -> 0xB 0xDDDD (0xAAAA) -0xBBBB ->0xB

As shown in the above table, the first rule defines that all packets,which are originated from the VM with GID 0xAAAA and are targeting theVM with GID 0xBBBB, should be transmitted with the DLID 0xD. The secondrule defines that all packets, which are originated from the VM with GID0xCCCC and are targeting the VM with GID 0xBBBB, should be transmittedwith the DLID 0xB. The third rule defines that all packets, which aresent from the VM with GID 0xDDDD (originated from 0xAAAA) and aretargeting the VM with GID 0xBBBB, should be transmitted with the DLID0xB.

As shown in FIG. 8, the node A 801 can initiate a data flow to the nodeB 802, by sending a PR request 841 to the SA 820 on the switch 810.After the subnet administrator 820 receives the PR request 841 from thenode A 801, the SA 820 can process the PR request 841 according to thefirst rule in the above table, and send a PR response 842 to the node A801. The PR response 842 can indicate that the data packet needs to bedirected to the data service node D 804, which has a local port that canbe identified using the LID 0xD.

Then, the source node A 801 can direct the data flow 851 to the dataservice node D 804. After the data service node D 804 has processed thereceived data flow 851, the data service node D 804 can send a PRrequest 843 to the SA 820. The SA 820 can, in turn, return a PR response844 that contains the real address of the node B 802. Thus, the dataservice node D 804 can direct the data flow 852 to the destination nodeB 802. Alternatively, the data service node D 804 may decide to drop thereceived packets.

Also as shown in FIG. 8, the SA 820 can direct the data flow 853directly from the node C 803 to the node B 802 bypassing the dataservice node D 804. In this example, the node C 803 can first send a PRrequest 845 to the SA 820. Then, the SA 820 can return the real addressof the node B 802 in a PR response 846.

In accordance with an embodiment of the invention, the data service nodeD 804 can use other mechanisms to obtain a mapping of the destinationGID to the destination LID without limitation. For example, both thedata flow and the control flow can be based on the LID forwardingfeature or both the data flow and the control flow can be based on theaddressing scheme as enforced by the subnet administrator (SA) 820.

Furthermore, when a VM is the member of multiple IB partitions,different forwarding rules can be defined for the different IBpartitions (e.g. based on the different P_Keys). Thus, the traffic onsome IB partitions can be directly routed to the destination, whiletraffic on other IB partitions may need to be routed to the data serviceappliance.

FIG. 9 shows an illustration of supporting a data flow for providing adata service in a network environment, in accordance with an embodimentof the invention. As shown in FIG. 9, nodes A-B 901-902 in a networkenvironment 900 can communicate with each other via an intermediate node910.

The node A 901, which is associated with a host channel adaptor (HCA)921, includes an application virtual machine (VM) 911 that hosts anapplication server. Furthermore, the node B 902, which is associatedwith a host channel adaptor (HCA) 922, includes an application VM 912that hosts another application server.

Additionally, the intermediate node 910, which is associated with a hostchannel adaptor (HCA) 940, can include a data service VM 931 and anapplication VM 932 (i.e. the data service VM 931 and the application VM932 shares the same physical machine). The data service VM 931 can hosta data service component and the application VM 932 can host anapplication server.

In order to prevent the direct communication between the node A 901 andthe node B 902, the system can configure both the node A 901 and thenode B 902 as limited members of a partition in an IB fabric, whileallowing the intermediate node 910 to be a full member of the partition.

As shown in FIG. 9, the data flow from the node A 901 can be initiatedby the application VM 911 using the transmitting (Tx) queue pairs (QPs)951. Furthermore, based on a PR response received from the SA, the nodeA 901 can send data packets to the receiving (Rx) queue pairs (QPs) 954on the intermediate node 910. Thus, the data service VM 931 on theintermediate node 910 can receive the data packets from the node A 901via the Rx QPs 954.

Then, the data service component in the data service VM 931 can processthe incoming data flow. For example, the data service VM 931 can providefirewall service by examining the incoming data flow and can dropquestionable data packets. Additionally, the data service VM 931 canprovide other data services, such as sniffing, performance monitoring,and load balancing.

After completing the data processing, the data service VM 931 cantransmit the outgoing data packets from the Tx QPs 953 to the Rx QPs 958on the node B 902 (e.g. based on the standard LID-based switching).Thus, the application VM 912 can receive the data packets in the dataflow.

Furthermore, the application VM 912 on the node B 902 can send a returnpacket back to the application VM 911 on the node A 901, via theintermediate node 910. As shown in FIG. 9, the return data flow canstart from the Tx QPs 957 on the node B 902 and ends at the Rx QPs 952on the node A 901, via the Rx QPs 954 and Tx QPs 953 on the intermediatenode 910. Thus, the application VM 911 on node A 901 can receive thereturn packets from the node B 902.

Additionally, the application VM 932, which is located on theintermediate node 910, can send one or more data packets to other nodes(e.g. via the Tx QPs 955), through the data service VM 931. Also, theapplication VM 932 can receive one or more data packets from other nodes(e.g. via the Rx QPs 956). Furthermore, depending on the policyconfiguration, the application VM 932 can send one or more data packetsto other nodes and/or receive one or more data packets from other nodesdirectly, bypassing the data service 931.

In accordance with an embodiment of the invention, the processing of thedata flow at the data service VM 931 on the intermediate node 910 can betransparent to both the source node A 901 and the destination node B 902(i.e. node A 901 may actually ‘think’ that it transmits data to the nodeB 902 directly).

Furthermore, the data service component (e.g. a software firewall) inthe data service VM 931 can be a distributed virtualized softwareappliance. Other nodes in the network environment 900 may not be awareof the existence of the intermediate node 910 and the data serviceappliance in the data service VM 931.

FIG. 10 illustrates an exemplary flow chart for controlling the dataflow for handling native data in a network environment, in accordancewith an embodiment of the invention. As shown in FIG. 10, at step 1001,a subnet administrator (SA) can receive a path record resolution requestfrom a source node, wherein the source node uses the path recordresolution request to obtain an address of a destination node. Then, atstep 1002, the SA can provide an address of an intermediate node to thesource node, wherein the intermediate node provides a data service.Furthermore, at step 1003, the source node can send one or more datapackets to the intermediate node based on the address of theintermediate node.

Data Service Addressing

FIG. 11 shows an illustration of a data packet format using InfiniBand(IB) addressing to access a data service in a network environment, inaccordance with an embodiment of the invention. As shown in FIG. 11, anIB subnet 1100 can include a plurality of physical (or virtual) nodes1101-1103 and a subnet administrator (SA) 1120. A source node 1101 cansend a packet (e.g. an IB packet 1110) to a destination node 1103, viaan intermediate node 1102.

The IB packet 1110 can include the payload 1114 and various headersaccording to the IB protocols. These headers can include a globalrouting header (GRH) 1111, a local routing header (LRH) 1112, and otherheaders 1113. Additionally, the IB packet 1110 can be applied withvarious cyclic redundancy checks (CRCs) 1115.

In accordance with an embodiment of the invention, the system can takeadvantage of the destination global identifier (DGID) 1121 in the GRH1111 and the destination local identifier (DLID) 1122 in the LRH 1112for supporting data service addressing in the IB subnet 1100.

For example, the system can set the DLID 1122 in the IB packet 1110 tobe the DLID for the intermediate node 1102 (instead of the DLID for thedestination node 1103). Within the IB subnet 1100, the IB packet 1110can be routed to the intermediate node 1102 based on the DLID 1122 asresolved by the SA 1120. Thus, the IB packet 1110 can be processed usinga data service provided on the intermediate node 1102.

Furthermore, the system can use the DGID 1121 in the GRH 1111 toindicate the DLID for the destination node 1103. Thus, the data servicesoftware in the intermediate node 1102 is able to resolve (or obtain)the real DLID for the destination node 1103 based on the DGID 1121information in the GRH 1111.

In accordance with an embodiment of the invention, the intermediate node1102 can perform additional packet header 1113 and/or payload 1114modifications when necessary. For example, the fabric level accesscontrol can be set up in a way that the source node 1101 and thedestination node 1103 are either limited members of a relevant partitionor not members of the same partition. In such a case, the intermediatenode 1102 may need to change the P_Key value in the IB packet 1110before forwarding the modified packet to the destination node 1103.

FIG. 12 shows an illustration of handling a data packet on anintermediate node in a network environment, in accordance with anembodiment of the invention. As shown in FIG. 12, an intermediate node1210 in an IB subnet 1200 can receive one or more data packets (e.g. anincoming IB packet 1201) from a source node.

The incoming IB packet 1201 may include a global routing header (GRH)1211 and a local routing header (LRH) 1212, in addition to the othersections 1213. For example, the GRH 1211 can contain a destinationglobal identifier (DGID) 1231, e.g. 0xBBBB, for a destination node, andthe LRH 1212 can contain a destination local identifier (DLID) 1232,e.g. 0xF, for the intermediate node 1210.

Furthermore, the intermediate node 1210 can provide a data service, suchas a firewall service that can inspect the incoming IB packet 1201.After processing the incoming IB packet 1201 using the data service, theintermediate node 1210 can send an outgoing IB packet 1202 to thedestination node (as indicated in the DGID 1231 in the incoming IBpacket 1201). Alternatively, the intermediate node 1210 may decide todrop the packet 1203.

As shown in FIG. 12, the outgoing IB packet 1202 can include a GRH 1221and a LRH 1222, in addition to the other sections 1223. The GRH 1221 cancontain a DGID 1241 for the destination node and the LRH 1222 cancontain a DLID 1242 for the destination node.

In accordance with an embodiment of the invention, a path record cache1220 can be used to resolve the real DLID for the destination node,which can be used to direct the outgoing IB packet 1202 to thedestination node within the subnet 1200.

The path record cache 1220 can exist on various nodes in the IB subnet1200, and an SA can coordinate the behavior of the path record cache1220. Thus, the SA is capable of returning the data service address onthe intermediate node 1210 or the destination application address on adestination node for the different requests.

Additionally, the path record cache 1220 can take advantage of anaddress mapping table. The following is an exemplary address mappingtable.

DGID=0xBBBB -> DLID=0xB DGID=0xCCCC -> DLID=0xC DGID=0xAAAA -> DLID=0xA

As shown in FIG. 12, the DGID 1231 in the GRH 1211 can be used by thedata service software for resolving the real destination DLID 1242 basedon the path record cache 1220. For example, the incoming packet 1201 caninclude the header information of ‘DGID=0xBBBB’ and ‘DLID=0xF.’ Applyingthe first rule in the above address mapping table, the intermediate node1210 can update the outgoing packet to include the header information of‘DGID=0xBBBB’ and ‘DLID=0xB.’

Furthermore, the intermediate node 1210 may need to manipulate a P_Keyvalue, which is a field of the basic transport header (BTH) in areceived packet 1201, since both end nodes may be configured as limitedmembers of a corresponding partition. For example, a packet transmittedby a source node may have a limited P_Key (which is configured as mostsignificant bit (MSB) clear). The intermediate node 1210 may need tomodify this limited P_Key to a full P_Key (which is configured as mostsignificant bit (MSB) set), before transmitting the packet to thedestination node.

Additionally, the intermediate node 1210 can provide a mapping for othertransport level address information, such as the QP numbers, the Q_Keyvalues etc. For example, the intermediate node 1210 can use a local QPnumber for receiving one or more data packets from the sender nodes(which can be identified by the source QP number and the source node).Furthermore, the intermediate node 1210 can modify the received packetsto ensure that both the source node and the destination node canidentify the transport level address information as defined by a dataservice on the intermediate node 1210 (rather than as defined by aremote end-node).

Thus, the intermediate node 1210 can control what transport levelresources are exposed between the end nodes. Also, the intermediate node1210 can make use of the local QPs that are implemented by the localhardware, in order to optimize performance and provide different qualifyof service (QoS) on various data flows between different pairs of endnodes.

FIG. 13 shows an illustration of supporting connection management in anetwork environment, in accordance with an embodiment of the invention.As shown in FIG. 13, a source node 1301 and a destination node 1302 inan IB subnet 1300 can communicate with each other via an intermediatenode 1310.

For example, an IB packet 1311 can be forwarded from the source node1301 to the intermediate node 1310. The incoming IB packet 1311 caninclude a global routing header (GRH) 1317, a local routing header (LRH)1313 and other transport level address information 1315. Additionally,the IB packet 1311 can be applied with a variant cyclic redundancy check(CRC) 1321 and an invariant cyclic redundancy check (CRC) 1323.

Furthermore, the intermediate node 1310 can provide a data service.Then, after processing the incoming IB packet 1311 using the dataservice, the intermediate node 1310 can forward an outgoing IB packet1312 to the destination node 1302. The IB packet 1312 can include aglobal routing header (GRH) 1318, a local routing header (LRH) 1314 andother transport level address information 1316. Additionally, the IBpacket 1312 can be applied with a variant cyclic redundancy check (CRC)1322 and an invariant cyclic redundancy check (CRC) 1324.

In accordance with an embodiment of the invention, the isolation of thesource node 1301 and the destination node 1302 can be implemented usingthe partitioning and/or other IB fabric level access controltechnologies.

The intermediate node 1310 is able to observe all traffic between thesource node 1301 and the destination node 1302. The intermediate node1310 can identify all communication management operations, such as themanagement datagrams (MADs) exchanged between the source node 1301 andthe destination node 1302. Also, the intermediate node 1310 can identifyvarious broadcast/multicast based address resolution operations, such asthe address resolution protocol (ARP) operations.

In accordance with an embodiment of the invention, depending on thepacket types, the intermediate node 1310 can process the received IBpacket 1311 differently based on the observed communication.

For example, the outgoing a packet 1312 can resemble the incoming IBpacket 1311 with only LRH 1314 modified. In such a case, the system mayonly need to re-compute the packet variant CRC 1322. On the other hand,the invariant CRC1324 for the outgoing packet 1312 can remain the sameas the invariant CRC 1322 in the incoming IB packet 1311. Thus, theinvariant CRC 1322, which is generated by the original sender (e.g. thesource node 1301), can protect the data packet all the way to the finalreceiver (e.g. the destination node 1302). The intermediate node 1310can ensure the end-to-end packet integrity in a way that is similar to aswitch.

Alternatively, the intermediate node 1310 may modify other headerinformation such as the transport level address information 1315 in theIB packet 1311, and may potentially modify the IB packet payload in theIB packet 1311.

For example, the intermediate node 1310 may need to generate a newinvariant CRC 1324, when P_Key or any other transport header information1315 is modified. In such a case, the system can have completelyindependent packet integrity protection schemes, which may no longerprovide the end-to-end protection between the source node 1301 and thedestination node 1302 within the IB subnet 1300.

Also, the intermediate node 1310 can perform an incremental invariantCRC update to take into account a P_Key, the value of which is modifieddirectly in the packet or is modified via control interface (such asWork Request). Thus, the intermediate node 1310 can preserve dataintegrity characteristics of the IB payload and the HCA 1510 allows themodification of the IB P_Key for supporting isolation between two endpoints.

In accordance with an embodiment of the invention, the system can employa separate bit error protection scheme for protecting involved buffersand data path, in order to minimize the risk of bit errors that may beintroduced by the generation of the new invariant CRCs 1324 at theintermediate node 1310. Also, the system can take advantage of variousend-to-end protocols, which are based on additional checksums, in orderto protect the end-to-end data integrity.

FIG. 14 illustrates an exemplary flow chart for supporting data serviceaddress resolution for handling native data in a network environment, inaccordance with an embodiment of the invention. As shown in FIG. 14, atstep 1401, an intermediate node can receive an incoming data packet froma source node, wherein the incoming data packet targets a destinationnode, and wherein the incoming data packet includes a global identifierfor the destination node and a local identifier for the intermediatenode. Then, at step 1402, the intermediate node can obtain localaddressing information for the destination node based on the globalidentifier for the destination node. Furthermore, at step 1403, theintermediate node can send an outgoing data packet to the destinationnode based on the obtained local addressing information for thedestination node.

Host Channel Adaptor (HCA) Filtering

FIG. 15 shows an illustration of supporting host channel adaptor (HCA)filtering for providing data services in a virtualized environment, inaccordance with an embodiment of the invention. As shown in FIG. 15, adata service node 1501 in a network environment 1500 can use a networkconnecting device, such as a host channel adaptor (HCA) 1510, fornetwork connections.

The data service node 1501 can include an application VM 1502, whichincludes an application server 1504, and a data service VM 1503, whichincludes a data service component (e.g. a data service appliance 1505).Furthermore, the data service node 1501 can receive a mixed data flow.The mixed data flow traffic may target either the application VM 1502 orthe data service VM 1503.

As shown in FIG. 15, the data service node 1501 can be associated withthe queue pairs (QPs) 1511-1519. The application VM 1502 can beassociated with the queue pairs (QPs) 1511-1513, and the data service VM1503 can be associated with the receiving (Rx) queue pairs (QPs)1514-1516 and the transmitting (Tx) QPs 1517-1519.

In accordance with an embodiment of the invention, the data service node1501 can use the HCA 1510 for providing filter capabilities. Also, theHCA 1510 can provide various interfaces for programming the filters.

For example, the HCA 1510 can use the LID-based filtering for supportingthe virtual appliance, in which case the HCA Ports for the standardprotocol termination part can be configured with a standard LID/LMC andthe HCA ports for the firewall can be assigned with one or moredifferent LIDs. Alternatively, the HCA 1510 can apply the inverse logic,i.e. any incoming IB packet that does not fall under the standard LIDrange may be directed to the firewall.

As shown in FIG. 15, HCA 1510 can include a receiving (Rx) filter 1508,which can identify packets targeting the data service appliance 1505without protocol termination. Thus, the HCA 1510 can separate the dataflow traffic targeting the data service component 1505 from the dataflow traffic targeting the application server 1504.

For example, the Rx filter 1508 can separate the mixed data flow trafficbased on the data service DLID (e.g. using DLID based filtering). The Rxfilter 1508 can be associated with a data service DLID table 1509. Thefollowing is an exemplary data service DLID table.

DLID=0xF DLID=0xFF

When an incoming packet has a matching DLID, (e.g. 0xF or 0xFF), the Rxfilter 1508 can direct the packet to the data service component 1505 onthe data service VM 1503, via QPs 1514-1516. The HCA 1510 can treatthese packets as raw packets, and can forward these incoming packets asthey have been received (i.e. including all IB headers).

On the other hand, if an incoming packet does not have a matching DLID(i.e. with a DLID other than 0xF and 0xFF), the Rx filter 1508 candirect the incoming packet to the application server 1504 on theapplication VM 1502, which can use an IB protocol engine 1506 to handlethe IB packet according to the IB protocol.

Alternatively, the Rx filter 1508 can use the DGID information in theGRH in an incoming packet for determining where to forward the packet.When an incoming packet has a matching DGID, the Rx filter 1508 candirect the packet to the data service component 1505 on the data serviceVM 1503. If the incoming packet does not have a matching DGID, the Rxfilter 1508 can direct the packet to the application server 1504 on theapplication VM 1502, which can use an IB protocol engine 15015 to handlethe IB packet according to the IB protocol.

Additionally, the Rx filter 1508 can be based on invert filtering (orreverse filtering). For example, the invert filtering can be beneficialin the bump-on-the-wire (BOW) use case (i.e. when the data service node1501 separates two communicating nodes).

In such a case, the HCA 1510 can use its standard port LID configurationto identify the packets that target the application VM 1502. The HCA1510 can process these packets according to the IB standard definition.Furthermore, the HCA 1510 can treat all other packets as targeting thedata service component 1505.

In accordance with an embodiment of the invention, the HCA 1510 canspread traffic across multiple queue pairs (QPs), such as Rx QPs1514-1516, to allow for parallel processing (e.g. using multiple threads1531-1533).

For example, the HCA 1510 can take advantage of a receive side scaling(RSS) filter 1507, which can spread traffic across multiple queue pairs(QPs) 1514-1516. The data service component 1505 can allocate thedifferent threads 1531-1533 for processing the packets arriving on theQPs 1514-1516. Additionally, said QPs 1514-1516 may expose a hardwareinterface directly to the data service component 1505 bypassing anoperating system on the node

Furthermore, in order to minimize the overhead for data processing, theRSS filter 1507 can direct the different packets received from the samedata flow to a single data service thread. Alternatively, the HCA 1510can use other hash-based filters, or other types of filters, forspreading traffic across multiple queue pairs (QPs) 1514-1516 to allowfor parallel processing. Additionally, the HCA 1510 can direct the dataflow according to the core affinity, and can preserve the ordering ofthe packets within the data flow.

Then, the data service component 1505, e.g. a software FWL service, canprocess the incoming data packets, such as modifying the IB headersincluding the DLID information and/or inspecting packet headers and/orpayload for filtering and monitoring purposes.

In accordance with an embodiment of the invention, the HCA 1510 cansupport raw mode packet forwarding. On the receiving side, the HCA 1510can validate CRCs, can forward packets in raw format (with all IBheaders) to multiple application level QPs without IB protocoltermination, and can use a RSS filter 1507 for spreading load tomultiple receiving queues (RQs). On the transmitting side, the packetsprocessed by the data service component 1505 can be submitted to the HCA1510 in raw format, e.g. via QPs 1517-1519. The HCA 1510 can generateCRCs, and allows an application to post packets in raw format (with allIB headers) from multiple application level QPs.

In accordance with an embodiment of the invention, the HCA 1510 cansupport a router usage model. If the DGID in the incoming packet matchesa DGID for an ingress HCA port, then the packet can be processedaccording to the IB protocol. If the DGID in the incoming packet doesnot match any DGID for the ingress HCA ports, then the packet can beforwarded to one of the designated set of Rx QPs, where the packet canbe inspected (and optionally modified) by the software running on thehost node 1501 before forwarding to a destination node. When the hostsoftware determines that data packet should be forwarded, the entirepacket (potentially with modified IB headers) can be sent using a sendqueue. The send queue can support raw packet where the HCA 1510 hardware(HW) can optionally generate a variant cyclic redundancy check (CRC) andan invariant cyclic redundancy check (CRC), while sending the packet.

In accordance with an embodiment of the invention, the HCA 1510 allowsno software stack overhead, and can deliver packets directly to theprocessing threads with no need to copy data. Furthermore, the HCA 1510may only touch necessary portions of headers. For example, the HCA 1510can support header/data separation (or hits). Additionally, the HCA 1510can take advantage of multiple per-processing thread dedicated queuesfor scaling out efficiently with multiple cores.

Additionally, the HCA 1510 can provide hardware assistance for cyclicredundancy check (CRC) validation 1521 and CRC generation 1522. Also,the HCA 1510 can perform an incremental invariant CRC update to takeinto account a P_Key, the value of which is modified directly in thepacket or is modified via control interface (such as Work Request).Thus, the HCA 1510 can preserve data integrity characteristics of the IBpayload and the HCA 1510 allows the modification of the IB P_Key forsupporting isolation between two end points.

FIG. 16 shows an illustration of supporting host channel adaptor (HCA)filtering for providing data services in a non-virtualized environment,in accordance with an embodiment of the invention. As shown in FIG. 16,a data service node 1601 in a network environment 1600 can use a networkconnecting device, such as a host channel adaptor (HCA) 1610, fornetwork connections.

The data service node 1601 can include an application server 1604, and adata service component (e.g. a data service server 1605). Furthermore,the data service node 1601 can receive a mixed data flow. The mixed dataflow traffic may target either the application server 1604 or the dataservice server 1605.

As shown in FIG. 16, the data service node 1601 can be associated withthe queue pairs (QPs) 1611-1619. The application server 1604 can beassociated with the queue pairs (QPs) 1611-1613, and the data serviceserver 1605 can be associated with the receiving (Rx) queue pairs (QPs)1614-1616 and the transmitting (Tx) QPs 1617-1619.

In accordance with an embodiment of the invention, the data service node1601 can use the HCA 1610 for providing filter capabilities (in afashion similar to the virtualized environment as shown in FIG. 15).

As shown in FIG. 16, HCA 1610 can include a receiving (Rx) filter 1608,which can identify packets targeting the data service server 1605without protocol termination. Thus, the HCA 1610 can separate the dataflow traffic targeting the data service server 1605 from the data flowtraffic targeting the application server 1604 (which uses an IB protocolengine 1606 to handle the IB packets according to the IB protocol).

In accordance with an embodiment of the invention, the HCA 1610 canspread traffic across multiple queue pairs (QPs), such as Rx QPs1614-1616, to allow for parallel processing (e.g. using multiple threads1631-1633). For example, the HCA 1610 can take advantage of a receiveside scaling (RSS) filter 1607, which can spread traffic across multiplequeue pairs (QPs) 1614-1616. The data service server 1605 can allocatethe different processes 1631-1633 for processing the packets arriving onthe QPs 1614-1616.

In accordance with an embodiment of the invention, the HCA 1610 cansupport raw mode packet forwarding. Additionally, the HCA 1610 canprovide hardware assistance for cyclic redundancy check (CRC) validation1621 and CRC generation 1622.

On the receiving side, the HCA 1610 can validate CRCs, can forwardpackets in raw format (with all IB headers) to multiple applicationlevel QPs without IB protocol termination, and can use a RSS filter 1607for spreading load to multiple receiving queues (RQs). On thetransmitting side, the packets processed by the data service component1605 can be submitted to the HCA 1610 in raw format, e.g. via QPs1617-1619. The HCA 1610 can generate CRCs, and allows an application topost packets in raw format (with all IB headers) from multipleapplication level QPs.

FIG. 17 illustrates an exemplary flow chart for supporting HCA filteringfor providing data service in a network environment, in accordance withan embodiment of the invention. As shown in FIG. 17, at step 1701, thesystem can associate a networking device with a node in the networkenvironment, wherein the node is deployed with a data service componentthat can provide a data service. Then, at step 1702, the networkingdevice can use a filter to identify one or more packets targeting thedata service component without protocol termination. Furthermore, atstep 1703, the filter can forward said one or more packets to the dataservice component.

Many features of the present invention can be performed in, using, orwith the assistance of hardware, software, firmware, or combinationsthereof. Consequently, features of the present invention may beimplemented using a processing system (e.g., including one or moreprocessors).

Features of the present invention can be implemented in, using, or withthe assistance of a computer program product which is a storage medium(media) or computer readable medium (media) having instructions storedthereon/in which can be used to program a processing system to performany of the features presented herein. The storage medium can include,but is not limited to, any type of disk including floppy disks, opticaldiscs, DVD, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs,EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or opticalcards, nanosystems (including molecular memory ICs), or any type ofmedia or device suitable for storing instructions and/or data.

Stored on any one of the machine readable medium (media), features ofthe present invention can be incorporated in software and/or firmwarefor controlling the hardware of a processing system, and for enabling aprocessing system to interact with other mechanism utilizing the resultsof the present invention. Such software or firmware may include, but isnot limited to, application code, device drivers, operating systems andexecution environments/containers.

Features of the invention may also be implemented in hardware using, forexample, hardware components such as application specific integratedcircuits (ASICs). Implementation of the hardware state machine so as toperform the functions described herein will be apparent to personsskilled in the relevant art.

Additionally, the present invention may be conveniently implementedusing one or more conventional general purpose or specialized digitalcomputer, computing device, machine, or microprocessor, including one ormore processors, memory and/or computer readable storage mediaprogrammed according to the teachings of the present disclosure.Appropriate software coding can readily be prepared by skilledprogrammers based on the teachings of the present disclosure, as will beapparent to those skilled in the software art.

While various embodiments of the present invention have been describedabove, it should be understood that they have been presented by way ofexample, and not limitation. It will be apparent to persons skilled inthe relevant art that various changes in form and detail can be madetherein without departing from the spirit and scope of the invention.

The present invention has been described above with the aid offunctional building blocks illustrating the performance of specifiedfunctions and relationships thereof. The boundaries of these functionalbuilding blocks have often been arbitrarily defined herein for theconvenience of the description. Alternate boundaries can be defined solong as the specified functions and relationships thereof areappropriately performed. Any such alternate boundaries are thus withinthe scope and spirit of the invention.

The foregoing description of the present invention has been provided forthe purposes of illustration and description. It is not intended to beexhaustive or to limit the invention to the precise forms disclosed. Thebreadth and scope of the present invention should not be limited by anyof the above-described exemplary embodiments. Many modifications andvariations will be apparent to the practitioner skilled in the art. Themodifications and variations include any relevant combination of thedisclosed features. The embodiments were chosen and described in orderto best explain the principles of the invention and its practicalapplication, thereby enabling others skilled in the art to understandthe invention for various embodiments and with various modificationsthat are suited to the particular use contemplated. It is intended thatthe scope of the invention be defined by the following claims and theirequivalence.

What is claimed is:
 1. A method for providing a data service in anetwork environment, comprising: providing a data service component on anode in the network environment, wherein the network environmentincludes a plurality of nodes interconnected via a network fabric; usinga native packet forwarding mechanism to direct a data flow in thenetwork fabric to said data service component on the node; and usingsaid data service component to process one or more data packets in thedata flow in the network fabric.
 2. The method according to claim 1,further comprising: allowing said data service component to share aphysical machine with one or more application servers, or reside on adedicated physical machine.
 3. The method according to claim 1, furthercomprising: deploying said data service component in a virtual machineas a data service appliance, or deploying said data service componentdirectly on a physical machine as a data service server.
 4. The methodaccording to claim 1, further comprising: allowing the network fabric tobe based on an Infiniband network protocol.
 5. The method according toclaim 1, further comprising: connecting one or more data service serversin an external network to the network fabric, via one of an externalnetwork switch and an external network link.
 6. The method according toclaim 1, further comprising: allowing the node to be an intermediatenode, which at least one of physically isolates multiple communicationparties, and isolates multiple communication parties via networkpartitions.
 7. The method according to claim 1, further comprising:running multiple instances of said data service component simultaneouslyon the network fabric in the network environment.
 8. The methodaccording to claim 7, further comprising: deploying multiple instancesof said data service component in pairs.
 9. The method according toclaim 1, further comprising: allowing said data service component toprovide a software firewall (FWL) service that operates to inspectdifferent types of network traffics.
 10. The method according to claim9, further comprising: allowing said data service component to provide atraffic routing service.
 11. A system for providing a data service in anetwork environment, comprising: one or more microprocessors; a dataservice component, running on one or more microprocessors on a node inthe network environment, wherein the network environment includes aplurality of nodes interconnected via a network fabric, and wherein saiddata service component operates to use a native packet forwardingmechanism to direct a data flow in the network fabric to said dataservice component on the node; and use said data service component toprocess one or more data packets in the data flow in the network fabric.12. The system according to claim 11, wherein: said data servicecomponent operates to share a physical machine with one or moreapplication servers, or reside on a dedicated physical machine.
 13. Thesystem according to claim 11, wherein: said data service component isdeployed in a virtual machine as a data service appliance, or deployeddirectly on a physical machine as a data service server.
 14. The systemaccording to claim 11, wherein: the network fabric is based on anInfiniband network protocol.
 15. The system according to claim 11,wherein: one or more data service servers in an external network areconnected to the network fabric, via one of an external network switchand an external network link.
 16. The system according to claim 11,wherein: the node is an intermediate node, which at least one ofphysically isolates multiple communication parties, and isolatesmultiple communication parties via network partitions.
 17. The systemaccording to claim 11, wherein: multiple instances of said data servicecomponent are run simultaneously on the network fabric in the networkenvironment.
 18. The system according to claim 17, wherein: multipleinstances of said data service component are deployed in pairs.
 19. Thesystem according to claim 11, wherein: said data service componentoperates to provide at least one of a software firewall (FWL) servicethat operates to inspect different types of network traffics, and atraffic routing service.
 20. A non-transitory machine readable storagemedium having instructions for providing a data service, stored thereonthat when executed cause a system to perform the steps comprising:providing a data service component on a node in a network environment,wherein the network environment includes a plurality of nodesinterconnected via a network fabric; using a native packet forwardingmechanism to direct a data flow in the network fabric to said dataservice component on the node; and using said data service component toprocess one or more data packets in the data flow in the network fabric.